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(54) Network monitoring appliance 

(57) A network hub (H1) responds to network prob- 
lems by generating traps in conformance with the Sim- 
ple Network Management Protocol(SNMP). In generat- 
ing a trap, the hub includes a Uniform Resource Locator 
(URL) as a text string incorporated in the trap. The net- 
work hub incorporates a server (306) conforming to the 
HyperText Transfer Protocol (HTTP) used by the World 
Wide Web. The server has its own home page and the 
URL incorporated in the trap points to a subpage of that 
home page. When a network management station (W1) 



receives the trap, the URL is displayed as a hypertext 
link. When the link is "clicked", a web browser is activat- 
ed and is pointed to the URL so that an HTTP "get" com- 
mand is transmitted. When the hub receives the "get" 
command, it responds by generating the requested sub- 
page. The subpage is presented as a World Wide Web 
page with a full presentation of data relating to the event 
triggering the trap. In addition, the subpage includes ac- 
tive elements (hypertext links, buttons, and/or menu 
items) that when activated initiate a course of action to 
address the detection of the network problem. 
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Description 

[0001] The present invention relates to computer net- 
works and, more particularly, to a network appliance 
which can monitor parameters (e.g., related to their own 
and/or a network's performance) to facilitate fault han- 
dling in a computer network. 

[0002] Computer networks allow computer users to. 
communicate, collaborate, and share resources. While 
there are peer-to-peer computer networks, most sophis- 
ticated networks use network infrastructure appliances, 
e.g., hubs, switches, and routers, to manage communi- 
cation between end-node appliances, e.g., computers, 
printers, modems, instrumentation, etc. A typical net- 
work infrastructure appliance includes multiple ports, 
each of which can be coupled to an end-node appliance 
or another network appliance. Networked end-node ap- 
pliances communicate with each other through the net- 
work infrastructure appliances. 
[0003] Just as individuals rely increasingly on com- 
puters for getting their work done, corporations rely in- 
creasingly on networks for getting their personnel to 
work cooperatively. When a network fails, group efforts 
grind to a halt, as do individual efforts relying on network 
resources. To a lesser degree, productivity is adversely 
affected when network performance is impaired. Ac- 
cordingly, maintaining a network working and perform- 
ing at optimal levels is highly desirable, if not critical. 
Unfortunately, such maintenance can also be quite dif- 
ficult. 

[0004] Many network appliances monitor perform- 
ance-related parameters and, when the values of these 
parameters fail to meet certain criteria, transmit a noti- 
fication to that effect over the network. For example, net- 
work infrastructure appliances often include counters for 
counting certain network related events (e.g., packet 
collisions); when a count or a combination of counts in- 
dicates a problem, a "trap" can be transmitted in accord- 
ance with a Simple Network Management Protocol 
(SNMP). For another example, a printer can monitor its 
components; when a problem is detected, the printer 
can transmit an "inform" in accordance with a Desktop 
Management Interface (DM I) protocol. 
[0005] The various notifications can be received by a 
network management station, such as a computer de- 
voted at least in part to network management. The net- 
work management station can present the notifications 
to a human administrator, who can determine whether 
or not corrective action is required and who can under- 
take corrective action if required. 
[0006] In many cases, the information included in the 
notification is not comprehensive. Transmitting ail perti- 
nent information regarding triggering events might un- 
duly burden a network; also, the pertinence of the infor- 
mation might wane if the administrator does not address 
the notification immediately. Accordingly, a concise no- 
tification is often a prelude to a more detailed investiga- 
tion by the administrator. 



[0007] When the more detailed information is desired, 
the administrator can request (through the network 
management station) that the network appliance trans- 
mit additional information. If the detailed information is 
s presented in "raw" form, considerable demands are 
made on the expertise of the administrator in interpret- 
ing the data to diagnose the problem and in evaluating 
alternative courses of action. These demands are com- 
pounded in the common case where the network in- 
to eludes many appliance types, each with its own relevant 
parameters and alternative corrective actions. Since the 
individual trigger events might occur infrequently, an ad- 
ministrator might have to refer to the appropriate appli- 
ance manual each time a triggering-event notification is 
15 received. 

[0008] The burden on the administrator can be re- 
lieved considerably by including the expertise into the 
network management station. The network manage- 
ment station can include a characterization of each ap- 

20 pliance type on the network. The characterization can 
be used in interpreting appliance data and in suggesting 
alternative courses of action. 
[0009] While such a solution appears feasible in a net- 
work in which all appliances (including the network man- 

25 agement station) are from a single vendor, it is less 
workable where there are appliances from multiple ven- 
dors involved. Furthermore, when a new appliance type 
is added to the network, the network management sta- 
tion would have to be updated (e.g., through a patch or 

30 module added to the network management program 
running on the network management station). This 
might mean that each new appliance would have to be 
sold with program updates for each network administra- 
tion program. 

35 [001 0] Thus, however they are allocated between the 
administrator and the network management station, the 
tasks of notification data interpretation and of determin- 
ing responses can be unduly burdensome. 
[0011] The present invention seeks to provide an im- 

40 proved network appliance. 

[0012] According to an aspect of the present inven- 
tion, there is provided a network appliance as specified 
in claim 1 . 

[001 3] According to another aspect of the present in- 
^5 vention, there is provided a method of operating a net- 
work appliance as specified in claim 5. 
[001 4] The preferred embodiment provides a network 
administration system, which minimizes the burden on 
the network administrator while allowing ready expand- 
so ability of a network. 

[001 5] The preferred embodiment provides a network 
appliance that incorporates both asynchronous notifica- 
tion of "triggering" events and a server that confirms to 
an interactive network transfer protocol such as the Hy- 
55 perText Transfer Protocol (HTTP). When the network 
appliance detects a triggering event calling for notifica- 
tion and specifies therein a "Uniform Resource Locator" 
(URL) including a "Uniform Resource Identifier" (URI) 
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pointing to a network location on the server. 
[0016] The preferred embodiments provide a variety 
of ways for a network management station to handle the 
notification. For example, they can simply inform a user 
of the URL by displaying it in text form on a display. In 5 
this case, a user can copy the URL to a web browser 
(or other HTTP-enabled program), and access the loca- 
tion characterizing the triggering event. Preferably, the 
network management station either incorporates or in- 
terfaces with a browser so that a simple point and click 
operation accesses the network appliance server. In this 
vein, the network management program can present the 
URL as a hypertext link, as a button, or as a menu se- 
lection. Activating the link, button or menu item can ac- 
cess the URL directly or, alternatively, call a browser that 
in turn accesses the URL. 

[001 7] When the URL is accessed, the network appli- 
ance server can provide the information relating to the 
event in conformance with the HTTP standard. Prefer- 
ably, the information is presented on a web page that is 
a subpage of a home page associated with the server. 
Also preferably, the subpage can include active display 
elements (hypertext links, buttons, and/or menu items) 
that can initiate network management actions appropri- 
ate to the triggering event. These actions can involve 
changing the state of the network appliance (e.g., by re- 
setting counters) for further diagnosis or for ignoring the 
event. To conserve memory on the appliance, the sub- 
page can be generated after the URL is received (rather 
than when the notification is transmitted). 
[0018] Unlike most appliances with web servers, the 
preferred embodiment can provide for efficient access 
to asynchronous (not initiated by the user) events at the 
server For the most part, the web interface is operated 
by user commands; in other words, the web interface 
mostly provides for synchronous communication from 
the server and the user. Combining the web interface 
with a network or appliance management protocol al- 
lows asynchronous network events to initiate interaction 
with the web server on the network appliance. In gener- 
al, access to appliances is through the home page. It is 
often necessary to navigate to various subpages to find 
information of interest. By providing the URI (the part of 
the URL indicating the location within a server where 
certain information can be found), this embodiment 
avoids the tedium of navigating through a web interface. 
[0019] An interactive-network-transfer protocol is a 
network protocol in which: 1 ) a client can transmit a com- 
mand to a server; 2) the server responds to the com- 
mand by transmitting (generating first if required) data 
including active elements to the client; 3) the client dis- 
plays the data including representations of the active el- 
ements; 4) activation of active elements by a client user 
causes data to be transmitted to the server; and 5) the 
server, upon receiving data transmitted in response to 
activation of an active element, performs some action, 
typically involving the transmission of data to the client 
so that the client display is modified. HTTP is the most 



widely familiar interactive-network-transfer protocol. 
However, the embodiment can be applied in the context 
of alternative interactive-network-transfer protocols. 
[0020] One advantage of the preferred embodiment 
is that it provides a familiar interface for a network ad- 
ministrator to manage a network. For example, the 
World Wide Web is not only a standard interface for the 
Internet, but also for intranets. Also, there is a trend to 
provide network appliances with web interfaces. Thus, 
minimal training is required for a network administrator 
to learn the interface. 

[0021] A second advantage, which is both subtle and 
surprising, is that it obviates the need to update the net- 
work management software as new types of network ap- 
pliances are incorporated into the network. All the infor- 
mation regarding a triggering event and the options for 
handling it are handled by the web server on the network 
appliance. The network management program on the 
network management station does not need to have a 
characterization of each network appliance. The only re- 
quirement is that the network management program be 
able to communicate the URL associated with the trig- 
gering event to the user or to the user's browser. 
[0022] A third advantage is that effort on the user's 
part in accessing information about the triggering event 
is minimized. In a typical realization, one point-and-click 
operation is required to access the relevant page of the 
appliance server; one more point-and-click is often suf- 
ficient as a response to the triggering event. 
[0023] A fourth advantage is that network burden is 
minimized. Since the network appliance provides the 
notification asychronously, there is no need for a net- 
work management station to maintain a continuous con- 
nection with or to repeatedly poll appliances employing 
the present invention. Thus, network traffic directed to 
network management is minimized when there are no 
problems requiring notification. 
[0024] An embodiment of the present invention is de- 
scribed below, by way of example only, with reference 
to the accompanying drawings, in which: 
[0025] Figure 1 is a schematic diagram of a network 
incorporating an embodiment of appliance. 
[0026] Figure 2 is a schematic diagram of a hub of the 
network of Figure 1 and incorporating the appliance. 
[0027] Figure 3 is a data flow diagram of a preferred 
method practiced in the context of the network of Figure 
1. 

[0028] Figure 4 is an image of a portion of a window 
on a network management station generated in re- 
sponse to notifications transmitted in accordance with 
the method of Figure 3. 

[0029] FIGURE 5 is an image of a browser window on 
a network management station generated in response 
to a "get" request issued in accordance with the method 
of FIG. 3. 

[0030] In the preferred embodiment, a network sys- 
tem AP1 includes three repeater hubs H1, H2, and H3, 
three computer workstations W1 , W2, and W3, a mon- 
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ochrome laser printer P1, a color laser printer P2, and 
a color ink-jet printer P3, and eight cables. Six of the 
eight cables are coupled to the six node appliances W1 , 
W2 f W3, P1 , P2, P3; the other two cables CH1 and CH3 
couple hubs. 5 
[0031] Hub H1 has four ports, P11, P12, P13, and 
P14. Port P11 is not being used. Port P12 is coupled to 
printer P1 . Port P1 3 is coupled to hub H2 via cable CH 1 . 
Port P14 is coupled to workstation W1. Workstation W1 
includes a hard disk HD1 on which a network manage- io 
ment program and a web browser are stored. 
[0032] Hub H2 also has four ports, P2 1 , P22, P23, and 
P24. Port P21 is coupled to port P13 of Hub H1 via cable 
CH1. Port P22 is coupled to printer P2. Port P23 is cou- 
pled to hub H3 via cable CH3. Port P24 is coupled to *5 
workstation W2. 

[0033] Hub H3 has four ports, P31, P32, P33, and 
P34. Port P31 is coupled to port P23 via cable CH3. Port 
P32 is coupled to printer P3. Port P33 is not being used. 
Port P34 is coupled to workstation W3. 20 
[0034] Hub H1 comprises a repeater 12, a processor 
14, volatile random-access memory (RAM) 16, nonvol- 
atile flash memory 18, and a media access controller 
20, as shown in FIG. 2. The latter four elements are cou- 
pled via a communications bus 22. Repeater 12 in- 25 
eludes groups of counters PC1, PC2, PC3, and PC4, 
which are dedicated to respective ports, and a repeater- 
wide group of counters PCR. Processor 14 executes 
programs stored in flash memory 1 8, controlling repeat- 
er 12 directly over a control bus 24. These appliance- 30 
resident programs provide for network monitoring proc- 
esses by reading the counters, event handling, web 
serving, and storing event data in volatile RAM memory 
16 in the form of a Management Information Base (MIB). 
Media access controller 20 is coupled to repeater 12 35 
through an internal port PCH, permitting controller 20 to 
serve as the source and destination of network commu- 
nications. 

[0035] The functional components of hub H1 are rep- 
resented in FIG. 3. Multiple network monitoring process- *o 
es 301 are performed in parallel by polling various hub 
counters. When a count or a calculation based on 
counts goes beyond a trigger threshold, an event han- 
dler 302 activates an event trigger at 303. The event trig- 
ger causes the data pertinent to the triggering event to 45 
be stored in Management Information Base at 304. 
[0036] The event trigger identifies an enterprise 
based on the triggering event to a trap builder 305 of 
event handler 302. Management Information Base 304 
provides the values (binds) for the parameters (varia- 50 
bles) associated with the enterprise. Included among 
the parameters are those associated with the triggering 
event and a Uniform Resource Locator (URL) in the form 
of a text string. 

[0037] The URL includes two portions: a first that 55 
identifies the web server network address; and a sec- 
ond, the Uniform Resource Indicator (URI), that indi- 
cates web content on the server. To save on memory, 
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no web page is actually created at the web location 
pointed to by the URI when the trap is generated. In- 
stead, the web page is created after it is requested in 
response to an HTTP "get" request. 
[0038] Trap builder 305 transmits the trap over the 
network to network management station W1 , whence it 
is passed to network management program 401, and 
more specifically to its trap handler 402. Trap handler 

402 notifies the user 404 by placing a message on the 
computer display at 403 that a network event has taken 
place. In addition, trap handler 402 provides the trap da- 
ta to other portions of management program 401 for log- 
ging and other standard network management actions 
to be taken. 

[0039] User 404, once notified, can use a pointing de- 
vice such as a mouse to click on a button displayed at 

403 that calls web browser 405. This action is shown at 
jointed arrow 406. As web browser 405 is accessed, trap 
handler 402 passes at 407 the URL generated by trap 
builder 305 to web browser 405 so that it is incorporated 
into an HTTP "get" action at 408. 

[0040] The "get" action is transmitted to a web server 
306 of hub H1 . The web server parses the Uniform Re- 
source Indicator and provides it to an incorporated con- 
tent creator 307. Content creator 307 accesses Man- 
agement Information Base 304 to determine the nature 
of the triggering event. Content creator 307 also access- 
es a web design module 308 to determine how informa- 
tion about the event and other appliance-specific infor- 
mation is to be presented. Appliance-specific informa- 
tion is useful since the same event, e.g., a collision 
count, can have different implications for different appli- 
ances (e.g., hubs versus switches). The web design in- 
formation and the event information are coordinated by 
content creator 307, which thus generates a web page 
(having the URL generated by trap builder 305 as its 
network address). This web page is transmitted as an 
HTTP response at 309 to web browser 405, whence it 
is displayed at 409. 

[0041] The web page identifies the event that trig- 
gered the trap, organizes the data related to the event, 
and lists alternative courses of action that can be taken. 
Actions that can be performed without additional inter- 
vention are presented as buttons in the browser. When 
activated at arrow 410, a button causes an HTTP mes- 
sage to be communicated to web server 306, which then 
implements the action called for (e.g., by reading MIB 
304, or by resetting a network monitor process). 
[0042] Fig. 4 shows a portion of a window in network 
management program showing two sequential notifica- 
tions, first a warning, then a stop, of a network loop on 
an appliance with a URL http:W10-7.11.15. Clicking on 
either line activates a drop down menu. Selecting 
"browse URL" sends a "get" request to the appliance 
server. Performing this sequence for the top line causes 
the web page shown in FIG. 5 to be generated, trans- 
mitted, and displayed. In this case, the web page de- 
scribes the problem detected, offers a solution, and in- 
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dicates what ports, if any, have been disabled automat- 
ically. In addition, four active elements, in this case but- 
tons with text, offer one-click access to alternative 
courses of action. 

[0043] A major advantage of the illustrated hub oper- 5 
ation is best understood from the perspective of the us- 
er. Once notified asynchronously of a problematic event, 
the user needs only to "point and click", e.g., with a 
mouse, once to obtain a complete description of the 
problem. Furthermore, the description is provided using 
a standard ergonomic graphical interface. One more 
point and click by the user can instigate a corrective ac- 
tion. Thus, many network problems can be addressed 
with a pair of point and click operations. 
[0044] Another advantage comes into operation when 
the network is upgraded by adding a new type of net- 
work appliance incorporating the present invention. The 
network appliance can include provisions for monitoring 
new parameters and new options for responding to net- 
work problems can be provided. This allows such a net- 
work appliance to be added to the network without re- 
placing or updating the network management station. 
[0045] In the preferred embodiment, the network ap- 
pliance is a hub; the system applies to other network 
infrastructure appliances such as switches and routers, 
as well as to end-node appliances such as computers, 
printers, and modems. While, in the preferred embodi- 
ment, the network appliance conforms to SNMP, other 
protocols, such as DM I and proprietary protocols, can 
be employed. 

[0046] In the preferred embodiment, the appliance 
transmits the URL in its entirety as a text string. In this 
case, it is the content, not the form of the URL that is 
important. For example, the URI can be transmitted and 
the server portion of the URL can be constructed from 
the notification in accordance with the protocol em- 
ployed. 

[0047] The network management station can present 
the URL as a hypertext link. Alternatively, the URL can 
be presented as text that can be copied and pasted into 
a browser. Instead of a hypertext link, the URL can be 
presented implicitly as a button or as a menu option. 
When an active element corresponding to the URL is 
activated, the appliance can be accessed directly by the 
network management program (if it incorporates the HT- 
TP protocol) or indirectly (in which case, the network 
management program calls the browser and preferably 
passes the URL to it). 

[0048] While HTTP is the dominant interactive-net- 
work-transfer protocol, the present invention provides 
for alternatives that provide for active elements. The pa- 
rameters can be of several types: those that indicate 
problems with the network; those that indicate problems 
with the appliances incorporating the invention; and 
problems associated with appliances monitored by an 
appliance in accordance with the invention. For exam- 
ple, a redundant uninterruptable power supply might be 
coupled to a network appliance through a non-network 
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connection (e.g., a serial port) to indicate when one of 
the redundant component fails; in this case, the network 
appliance can "translate" the power supply notification 
to one receivable by the network management station. 
Accordingly, the preferred embodiment provides for 
maintenance of both network and non-network appli- 
ances from a common network management program. 
[0049] in the preferred embodiment, the server is con- 
tained entirely within the appliance enclosure. However, 
the invention provides for the use of a server that is part- 
ly or completely external to the appliance enclosure. For 
example, the appliance can send a URL pointing to an 
external server. This server can either access the appli- 
ance or maintain a copy of the appliance's Management 
Information Base. Such a server can serve several ap- 
pliances in accordance with this variation In another al- 
ternative embodiment, the appliance provides the URL 
associated with its internal server, but forwards the "get" 
command to a remote server. Both these alternatives 
minimize the storage requirements for individual appli- 
ances. 

[0050] The system can provide appliances that mon- 
itor a single parameter as well as to appliances that 
monitor multiple parameters. In the latter case, to appli- 
ances may look at a combination of parameters to de- 
termine when some notifications are to be made. In the 
latter case, plural scalar or vector parameters can be 
treated as a single vector parameter, the values for 
which are also vectors. 

[0051] The disclosures in United States patent appli- 
cation no. 09/217,684, from which this application 
claims priority, and in the abstract accompanying this 
application are incorporated herein by reference. 



Claims 

1 . A network appliance (H 1 ) comprising: 

at least one port (P14) for communicating with 
other network appliances (W1) on a common 
network; 

a monitor (301) for detecting when a triggering 
event has occurred; 

a notification generator (302) for generating a 
notification of said triggering event and for 
transmitting said notification through said port 
to said other network appliances, said notifica- 
tion specifying a URL having an associated net- 
work address; and 

an interactive-network-transfer-protocol server 
(306) to which said network address belongs, 
said server being operable to respond in ac- 
cordance with protocol to a request specifying 
said URL by providing data pertaining to said 
triggering event. 

2. A network appliance as recited in Claim 1 wherein 
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said server is operable to provide, along with said 
data pertaining to said triggering event, active ele- 
ments that when activated initiate one or more 
courses of action in response to said triggering 
event. 5 



3. A network appliance as recited in Claim 1 wherein 
said server has a home page (10.7.11.15) and a 
subpage (FIG. 5) of that home page, said subpage 
being the location addressed by said URL. * o 

4. A network appliance as recited in Claim 1 wherein 
said server conforms to an HTTP protocol and said 
request is an HTTP "get" command and said server 

is operable to generate a web page in response to *5 
said "get" command, said web page being the loca- 
tion addressed by said URL. 

5. A method of operating an appliance on a network 
comprising the steps of: 20 



monitoring (301) a parameter; 
in the event the value of said parameter indi- 
cates the occurrence of a triggering event re- 
quiring notification to another appliance on said 25 
network, generating and transmitting (302) on 
the network a notification, said notification 
specifying a URL; and 

in the event that a request is received specify- 
ing said URL, transmitting (306) data pertinent 30 
to said triggering event on said network. 



6. A method as recited in Claim 5 wherein said request 
is an HTTP "get" command, and said providing step 
involves presenting said data on a web page. 35 

7. A method as recited in Claim 6 wherein said web 
page includes an active element that when activat- 
ed initiates an appropriate response to said notifi- 
cation. 40 



8. A method as recited in Claim 7 wherein said web 
page is generated in response to reception of said 
"get" request. 
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